This webpage provides instructions for using the acme-dns DNS challenge method with various ACME clients to obtain HTTPS certificates for private networks. Caddy, Traefik, cert-manager, acme.sh, LEGO and Certify The Web are listed as ACME clients that support acme-dns. For each client, configuration examples are provided that show how to set API credentials and other settings to use the acme-dns service at https://api.getlocalcert.net/api/v1/acme-dns-compat to obtain certificates. Interesting that so many ACME clients support the acme-dns service, providing an easy way to obtain HTTPS certificates for private networks.

HN https://news.ycombinator.com/item?id=36674224

seiferteric: Proposes an idea for automatically creating trusted certificates for new devices on a private network.

hartmel: Mentions SCEP which allows automatic certificate enrollment for network devices.

mananaysiempre: Thinks using EJBCA for this, as hartmel suggested, adds unnecessary complexity.

8organicbits: Describes a solution using getlocalcert which issues certificates for anonymous domain names.

austin-cheney: Has a solution using TypeScript that checks for existing certificates and creates them if needed, installing them in the OS and browser.

bruce511: Says automating the process is possible.

lolinder: Mentions Caddy will automatically create and manage certificates for local domains.

frfl: Uses Lego to get a Let’s Encrypt certificate for a local network website using the DNS challenge.

donselaar: Recommends DANE which works well for private networks without a public CA, but lacks browser support.

  • abhibeckert@beehaw.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Unfortunately these days internal CAs aren’t always trusted. We have one where I work, and hundreds of times a day people have to click through “I understand the risks, proceed anyway” alert prompts.

    Which makes me really uncomfortable - I fear one day someone will blindly click past a warning about an actual malicious certificate.

    • TemporalSoup@beehaw.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      It kills me that companies seem to willingly train their users to ignore warnings and signs that something is amiss.

      “Yeah, all our emails from that vendor come with the external email warning, just ignore it”